It was actually a report that we wrote for this customer, to assure them that although other detection mechanisms aren't flagging, that we are rightfully flagging these pages as malicious.

Soon after publishing the blog, we realized that it was the same widget that got the boingboing.com parked domain infected, which we blogged about back in May.

Yesterday I had some time to sit down and study this widget further, and discovered something critical--it's a part of the standard domain parking page of Network Solutions.

And so, just how many domains (not pages) are currently affected and serving malware?

More than 500,000 domains, according to Google:According to Yahoo, add a zero to that, at least 5,000,000 domains:I didn't have time to click on every single one of them, but I clicked on enough to conclude that, all of them are indeed infected, via the same widget we blogged about a few days ago. Also, neither Google or Yahoo actually shows all results. Google shows the first 45 pages only, and Yahoo shows the first 100 only. So we couldn't really go through all the domains one by one...and 5 million is too large a number for manual verification anyways.

Deciding to look a bit deeper to see if there are other infections, I realized that there is. The behavior is quite the same as our boingboing.com alert back in May.

Analyzing this and comparing traffic logs of the boingboing.com post back in May, we concluded the the attacker uses the following free traffic analysis services, which are the two most popular choice among attackers in greater China--cnzz and 51.la. Specifically, the following accounts are used:

Since both accounts were registered with handle "skbanner," we assume it's not multiple infections by different attackers but the same attacker using two counters. The 51.la account can be accessed:First, the account was registered on Feb 5th. A day later, on Feb 6th, Tata Consulting Services, who uses Network Solutions as domain registrar, had their DNS records manipulated, according to TechCrunch and other media. This all happened shortly after Jan 19th, when Network Solutions publicly addressed that some of their sites have been hacked and they are addressing the problem.

The 51.la "skbanner" counter recorded 2,683,120 accumulative page views--that's a lot of victims out there.

The highest page view was seen on April 3rd, 2010. This time frame is close to the largest incident in this series--on April 7th, WordPress admins started to post on the WordPress Forum complaining that their WordPress on Network Solutions has been compromised and were serving malware. That thread had 151 posts total.

Network Solutions acknowledged the problem on April 9th with a blog post Alert: WordPress Blog & Network Solutions. If these events were associated, then sometime in early April the attacker group must have decided to leverage the control they had of Network Solutions, and massively injected malicious content not into the default parked domain page, but rather, into the hosted WordPress blogs and / or websites.

It's concerning that this series of compromises happened starting Jan of this year, and today we are still seeing more than 500,000 Network Solutions domains actively serving malware as we write.

We also just registered a domain, armorizetest.com, with Network Solutions, and verified that it indeed actively serves malware the moment that it's up. Here's what we did:

First we paid for our domain:Then we set it to park using the "standard construction page":It's done. We connect to our newly purchased and parked domain, and as you can see, the fake (and malicious) QQ messagebox pops up, and the compromised (and malicious) Network Solutions SMCI widget is there, too. From the traffic, yes, it's serving malicious content, which is the same as described in our last blog post.One of the dropped malware executable is: C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exeThe hidden directory SystemProc is created by a javascript exploit.

Follow-up:We have managed to get in touch with Network Solutions, and within less than three hours, they have acted and taken down the widget. Actually, they have commented the code out, so you can still see it if you "view source."

At the same time, while trying to figure out the exact number of affected domains, we realized that Yahoo is probably more correct on this--it was more than five million domains! Here's a video:

Finally, as to the dropped malware lsass.exe itself, here's what it does (credits to Chris Hsiao):When run, itcreates the following components:========================================================%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul%USERPROFILE%\Application Data\SystemProc\lsass.exe

The following registry key is added in order to auto start itself after reboot:========================================================= [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "RTHDBPL" = "%appdata%\SystemProc\lsass.exe"

It monitors the following Web browsers:=========================================================ExplorerOperaChromeFirefox

User searches using the following search engines are redirected to another Web site:===========================================================GoogleAskYahoo!AOLBing

It monitors the following search terms and pops up advertisement accordingly:============================================================cialispharmacasinofinancemortgageinsurancegamblinghealthhoteltravelantivirusantivirpockerpokervideobabybanyporngolfdietvocationsdesigngraphicfootballfootbalestatebaseballshopbooksgiftsmoneyspywarecreditloansloandatingebaymyspacevirusfilmipodverizonamazoniphonesoftwaremoviemobilebankmusiccarscraigslistgamesportmedicalschoolwallpapermilitaryweathertwitterfashionspybottradingtramadolyobtflowercigarettesdoctorflightsairlinescomcast

It retrieves the following URLs to fetch commands and download more malware (link currently not working):======================================================http://updrandomhottys.com/update.php?sd=2010-03-23&aid=blackouthttp://updrandomhottys.com/inst.php?aid=blackout

Follow Us

About Armorize Technologies Inc.

Armorize Technologies provides next-generation Web application security solutions traversing the System Development Life Cycle (SDLC).
As part of the Armorize Appsec Suite™, SmartWAF™ integrates with both the CodeSecure™ Source Code Analysis platform and the Hackalert™ Malware Monitoring service to provide end-to-end security for Web applications.
Headquartered in Santa Clara, CA, with its R&D center in the Nan Kang Software Park in Taipei, Taiwan, Armorize has a global customer base with clients among finance, telecom, government and technology sector leaders. For more information visit www.armorize.com